[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Possible ppolicy override for other than rootDN



On Wed, 5 Jun 2013 10:57:10 +0200 (CEST) Christian Kratzer <ck-lists@cksoft.de>
wrote
> We have a customer setup where the corporate identity management applications
> provisions users to the directory, resets their passwords etc... 
>
> The tool binds as a specific user and we permit write access to appropriate
> subtress via an acl. 
>
> The customer also uses password policy to enforce policy in ldap.
> 
> The problem we have is that the idm tool is obivously also subject to the
> pwdMinAge and pwdSafeModify policies.  The tool never stores a users password
> so when pwdSafeModify is in effect it cannot provide the old password to
> satisfy the policy.  It obviously also cannot reset the password until
> pwdMinAge has elapsed. 
>
> Giving the rootDN credentials to the tool is also not an option as we would
> like to keep audit logs clean and have the acl in place to stop the tool from
> writing all over the place. 
>
> So we would like to override password policy for the idm tools bind user
> similarly as the rootDN is already able to bypass policy. 

If it's not already implemented I'd recommend this feature request:
1. limit such a write operation to a user which has 'manage' access to the
attributes and
2. enable overriding only if the client sends Relax Rules Control along with
the LDAP write request.

Ciao, Michael.